Hey! I know I haven’t written anything in a long while and this is way overdue, but since the last time I wrote, I changed jobs and my last job kept me incredibly busy, to a fault.

But now is the time to start writing again!

So, one of my first tasks as the new lead developer is to write an API for mobile apps that feeds off the main company platform, which is using DotNetNuke. One of the biggest challenges was the authentication. The website uses DNN’s implementation of SqlMembershipProvider, with encrypted passwords.

I’ve been looking for days to find a solution on how to use the data and what format the data was encrypted, etc, when I came across an amazing article written by Leigh on StackOverflow. Here’s the link (and shoutout to Leigh!)

This article has the right method, but is using ColdFusion. Here’s my converted code using NodeJS:

So, the important thing to know here, thing that isn’t really well explained on Microsoft’s website, is that the PasswordSalt IS used in decrypting the password (the website says it’s just stored but not used). Also, the cipher needs to use an initialization vector.

Here is where the magic happens. The trick is to prepend the salt to the password into a buffer before encrypting it. This is done by copying both buffers we created earlier into one that’s large enough to contain both.

This creates the cipher object we’ll use to encrypt the password. .NET uses a Triple-DES in CBC mode. Don’t worry about the padding mode, it’s fine. Pass in the decryption key in binary format as well as the initialization vector buffer and you’re good to encrypt!

Update the cipher object with the combined salt and password buffer, set the input format to UTF-8 and the output format to base64 (that’s the format .NET uses to store the combined password to the database) and add the final base64 fragment.

Voila! Your password is encrypted and can now be used by .NET!

For the decryption, simply use createDecipher instead of createCipher and slice the salt off the result and you got your password! Here’s the code: